Detecting Computer Security Attacks by Technical Methods

{LANG_NAVORIGIN} Intrusion Detection
Ajoy Kumar 07/08/2005

Abstract

In our nation, computers and networks are playing a very critical role in data processing, monitoring, storage in all critical areas which include transportation, finance, energy, health care etc. With the huge rise in sheer number of cyber attacks our computer infrastructure is extremely vulnerable as the attacks are getting higher day by day and sophistication of attacks is rising. Current cyber security preparedness is not sufficient in protecting our critical infrastructure. There is a requirement of higher level of awareness, technology and process approach to implement security in our infrastructure. None of the technologies offer a complete solution for near real time attack detection. Organizations need to address security as part of the requirement for projects. It is essential for organizations to develop frameworks for detecting and handling cyber attacks.

Introduction

Through the last decade, the rise of commercial interest in internet has made cyber infrastructure a critical component of our economy. The number of attacks on cyber infrastructure is constantly on rise, despite the fact that only a handful attacks has really materialized, yet its marks have been all over. How to detect a computer security attack is probably the most challenging task on hands of security practitioners. This question of ‘how to detect’ an attack has manifested its signature in all sectors of computer and cyber security. To detect an attack one has to be ahead of the curve, one has to be in mind set of an attacker. It is like doing real time forensics (predictive) of a computer system. It is a critical task of not allowing an attacker to slip invisibly but to track, identify and even prevent computer attacks. Defining what an attack is- is a difficult task as it could be a matter of perspective. According to John McHugh, Alan Christie, and Julia Allen of CERT/CC, “The attacker viewpoint is typically characterized by intent and risk of exposure.” [1] Same researchers at CERT define victim’s perspective, “From a victim’s perspective, intrusions are characterized by their manifestations, which might or might not include damage. Some attacks produce no manifestations and some apparent manifestations are caused by system or network malfunctions. Some attacks involve the (involuntary) participation of additional machines, usually victims of earlier attacks. For an intrusion to occur there must be both an overt act by an attacker and a manifestation, observable by the intended victim, that results from that act.”

What is a Computer Security Attack?

¹
“Any action that compromises the security information owned by an organization.” [2]

There are two types of high level attacks on computer Systems:

1. Passive Attacks
2. Active Attacks

Passive Attacks

These are attacks are of nature of eavesdropping, monitor the traffic or transmission. Goal of attacker is to gain the most information on the transmitted message and gather information on opponent. Passive attacks are of following types:

1. Release of message Contents: Release of message contents: A telephone conservation, an email, transmitted file or confidential information if is captured by an opponent is categorized as this type of attack.
2. Traffic analysis: It is a very subtle attack. Suppose that there are means of sending confidential messages, not allowing attacker to gain contents of message. Attacker is still able to observe the messages, transmission of message, frequency of message dispatch, length of messages etc. This information can be very helpful in guessing the nature of communication.

Passive attacks are very hard to detect. They are meant for reconnaissance and precede active attacks.

Active Attacks

These are attacks which involve compromising basic pillars of Security practices namely CIA (Confidentiality, Integrity and Availability). Active attacks are of following type:

1. Denial of Service: Motive of this attack is stop access of a given asset to any other person. This has a variant in form of DDOS.
2. Masquerade: In this attacker represents himself as legitimate user with objective of stealing, altering or destroying assets.
3. Replay: These attacks are carried out to recreate original situations to alter information (assets).
4. Modification of contents of message: Original information is altered in a way that real user does not find information until there has been a loss.

Since attacks are on rise for practical purposes some groups for tracking purpose some groups classify attacks as, Reconnaissance (probe), Worm related attacks and non-worm related attacks [21].

Objective

In this paper I will describe some of possible technologies of detecting computer attacks. I will also argue the case that it is impossible to detect computer attack as they are evolving to level beyond the scope of a single technology. There is a need of human intelligence to correlate information from various points in organization to detect attacks. Security attack detection should have two clear points: Human part and Technical part. Technical part includes tools and processes. Currently industry is focused more on Technical part but it is becoming clearer every day that Humans need to do more in attack detection process. Security layers do help but attackers have been using smart techniques of blending attacks together and making detection extremely difficult.

Detection of Attacks

Detection of Security attacks is challenging as sophistication of attacks is continuously rising despite the fact that attackers have less information on target systems.


Picture on Attack Sophistication taken from [1-http://www.cert.org/archive/pdf/IEEE_IDS.pdf]

Attack detection is a science and art. It is science as one has to learn technology, tools and understand the technology to understand the system dynamics; it is art as one has to be creative to in techniques of analyzing the results and then coming up with creative ways to profile system to detect right patterns to find an attack.

For example: If attacker is using IP spoofing to take over the identity of trusted host or to attain trusted communication with target host. If attacker gets a backdoor entry into system then future attacks and intrusions are much easier. Similar spoofing of DNS gives attacker ways to control the domain resolution process. As simple is the attack, simpler could be the attack detection, use a good spoofing program yourself and detect this vulnerability. If this vulnerability is coupled with some incorrect settings on packet filtering policy attack is possible and can be detected. An example of good policy in this scenario is: Any packet coming into your network must not have a source of your internal network or any packet coming into your network must have a destination address of your internal network. Furthermore if DHCP auto configuration and multicast addresses (0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 224.0.0.0/4 or 24.0.0.0/4) are not blocked attacks are imminent in present days. Attackers now-a-day are capable of doing modular attacks and covering their tracks, which makes detection further challenging task. Security devices such as IDS/IPS, firewall (packet and application), proxy filters can monitor attacks and suspicious behavior at different levels in an enterprise, yet the number of attacks is increasing day by day. According to latest research by Symantec [21] there is average of 13.6² attacks per day on a typical organization. Typical life cycle of attacks can be shown by following diagram.


Picture taken from http://www.att.com/ir/pdf/industry_072204.pdf#search='ed%20amoroso%20attack [26]

Tools and Technologies for Attack Detection

Detecting Attack using logs

Logging of information is the key in detecting computer attacks. Logging is one of the best techniques to detect attacks that have occurred and attacks that are in progress. Logging is very important and often attackers tend to cover their tracks by purging logs. Logs should be secured [3] Upcoming best practices tend to say keep logs on WORM devices.

A typical setup of steps to detect logs in an attacked Unix System is detailed as under:

1. Typically intruders leave setuid copies of /bin/sh or /bin/time to allow them root access at a later time. System Administrators should periodically check for such file.
2. Check the system binaries to make sure that they are not altered. Intruders tend to alter UNIX system such as login, su, telnet, find, netstat, df. libc etc. which are refered in /etc/inetd.conf, and other critical network, shared libraries and system programs. Taking a baseline of system binaries after a fresh install is very valuable. Backup of these binaries could be infected with Trojan horses over a period of time. Trojan horses produce the same standard checksum and timestamp as legitimate versions. Use of Trip wire, MD5 and other cryptographic checksums help programs secure. These checksums are then signed for comparison purposes. It does slow down processing but still it is becoming a standard practice in many shops.
3. Unauthorized use of sniffers and other network monitoring programs should be audited and checked since this can be used for account and password capture.
4. Unauthorized services are added or changed in /etc/inetd.conf. All services should be checked to see what exactly is being invoked and programs are not Trojan infected programs.
5. Cron and At are notorious for leaving back doors even though the actual job entries are not re-writable.
6. /etc/password file should be checked for modifications. Any addition of accounts should be closely monitored. Accounts with no passwords should be paid special attention, monitoring UID changes to accounts is a typical signature of attack.
7. Keep a baseline version of network and system configuration files for comparison purpose. Audit all changes to these configuration files. These files should have carefully chosen and audited ACL.
8. Hidden files should be scanned and carefully examined. Trojan programs, password cracking utilities are typically stored in unsuspicious looking files.
9. Keep a special track on .rhosts file. This file is typical file that attackers use for moving from one machine to another machine.

Now let us analyze above technique to distinguish best practices from reality. Is it really possible for Systems Administrators and Security Administrators to do this? Answer is Yes and No. It would be probably done once and then over period of time new servers would be added, old decommissioned yet they would be in network, people would change jobs. Does company comply with secure coding practices, are they enforced and audited? Answer to some of these questions is No, Security is a weak link problem; one of the components goes down in security and that makes system vulnerable. In 19XX there was a large network attack (bit harsh word) carried out by a teenager using most of above exploits in addition to few more. Use of common sense and need to learn more drove teenager to jump around country using Portland State University computers. MIT, Department of Defense and other places were repeatedly compromised [4]. System Administrators were baffled to find how easy it was possible to change login script and deploy Trojan horses. Attacker also used old servers which were useless to Portland Computer Department but yet connected to network. Many expired user accounts and non active accounts were used to carry out these attacks. In this case it was humans (system administrators) who discovered attack and they used technical tools to block the attacks. Most of the times doing such correlations in large organizations is a very difficult to achieve. Attacks are getting to sophistication level where they employ anti-forensics techniques to cover their foot prints. Establishing relationship of events in logs on various machines in distributed environment is very difficult as these relations typically are obscure at times. At the best log analysis is the art of extracting meaningful information and drawing right conclusions about security state. It cannot be categorized as science because it is purely dependent on individual’s analysis, skills and pure luck.

These logs tend to be of dissimilar format due to ‘diverse’ standards in an organization. Organizations should put log process in ‘standards and guidelines’ as this helps correlate events of an attack. Information in log files can be extremely rich but due to huge amount of information analysis can be a complicated task. Giga bytes worth of logging is not uncommon in large enterprises. Log aggregation or centralization is becoming a common trend in organizations as they are one of the key sources in detection of computer attacks. Non standardization and non-centralization makes this an impossible target to achieve.

Honey Net

Honey net is based on a concept of ‘Deception Sensor’ [5]. In such sensors deceptions for all but authorized accesses so that the attacker believes they are getting legitimate services while the defender detects all illegitimate access attempts. This has the dual effect of slowing attacks and detecting large portions of the overall attack space. It produces no false positives and only produced false negatives when the attacker uses non-deception services in their attack. Hosts that comprise a honeynet and serve as potential (or actual) attack targets are called honeypots³. A network of honeypots that is ready to be attacked is called honeynet. Researchers configure honeypots and honeynets to in variety of ways to capture useful information about computer attacks without affecting other computers. Honeynet researchers setup data capture and control in such a way, that intruders are unaware of presence of these mechanisms.

In March 2003, Azusa Pacific University Honeynet Research Project commissioned a honey pot on Microsoft Win2K Server under class C implementation. System was deployed with default options, without server patches or service packs. Administrator password was set to null. This left system to open to many possible remote attacks. SQL Server administrator account was locked to prevent against slammer worm attack though udp/1434 at honeynet firewall was left open. Reason for leaving port open was to explore possibilities of new attacks. Following figure shows an example of an oversimplified setup of a honeynet. Host running Snort IDS is connected via dotted line to represent that host listens but does not transmit. Figure also does not show a second network used in administering the honeynet. Host running Snort has second interface with network for managing host and archiving log files.

As this setup was deployed, with in a week, 171 distinct IP addresses accessed the servers. Ports that were prime target were: tcp/80, tcp/139, tcp/445, udp/137, udp/1434. During monitoring hackers mounted several attacks including Code Red II and buffer overflow attack. Several scans on udp/137 were done to gain information about users and domain. Attack on udp/445 – CIFS service was used to gain write access on files and folders, upload files etc. One of the interesting aspects of this attack was installation of worm that installed IRC (internet Relay Chat) and joining to non public IRC network channel. Inspection revealed presence of 4,752 hosts present on channel. Network analysis showed 15,164 distinct IPs that joined IRC channel over 10 days. “Such a structure, consisting of compromised hosts joined into a network via IRC is called botnet.” These botnets in illegitimate purpose are used in attacking IRC servers and Internet web sites. Botnet attacks are on rise. A modified version of Blaster attack of 2003 has been used in “different botnet network applications, including Gaobot, Spybot and Randex”⁴.

Honeynets are very useful tools for learning about attackers, attack tools and motives. Although there are few tools available for supporting honeynets but the information captured by these honeynets has been incredible. It reveals that it is possible to launch sophisticated DDOS attacks by botnets against well defined web sites.


Architecture of Honeypots [Picture from Botnets: Big and Bigger By Bill McCarthy, Azusa University]

Let us look at this approach closely from Legal stand point. Certain actions of Honeynet may violate intruder and third party privacy laws of US. Many ethical questions are also raised on this context – should network administrators of compromised host be notified. In the past complications have arisen where network administrators have accused informants of being attackers. Also, if the administrator is notified then it is likely that intruder might be tipped off in this process. Also, it is possible that honeynet operator may not have resources to contact such a huge number of hosts that are infected. It is very certain that advice from honeynet operators is invaluable and helps detect attack motives and multiple possible ways to attack on given vulnerability. I must point out that vulnerability management is also an important discipline. Analysts who have been following these trends over years say that rise in reports are simple because more people are monitoring networks for vulnerabilities. To add to vulnerabilities there is a rapid increase in population who is ‘always on’. A large percentage of such users have unguarded computers which are taken advantage by the melaware creators. To add to this confusion organizations do not define vulnerabilities in the same way. There are number of examples where three vulnerabilities may be pointing to one and vice versa. There are a number of initiatives in this field now and it is getting simplified. It is humans for now who learn the attack patterns for now in Honeypots. Honeypot products such as KFSensor and Mantrap allow number of alert and watch points. They are highly configurable and offer number of features for attack detection simulation. Despite these advances detection of attack is difficult task. ‘Script kiddies’ and novice attackers may get bogged down in Honey nets but sophisticated attackers are still carrying out real damage. Running and maintaining decent honey nets involves cost. Is this cost bearable by some small organizations? Do all organizations need to run honey nets? What if attackers develop signature for honey nets and do not get lured in honey nets.

















Your IP address will be sent with this e-mail

From e-mail to e-mail